- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to block traffic between VLANS
I am trying to block traffic between two VLANS on an MX8CW and nothing I have tried works and I feel like it's probably something simple. I have tried blocking using CIDR and VLAN ( screenshots below), neither of the rules are showing any hits and I can ping devices from either direction.
I have another rule not shown that blocks a device from accessing the internet and that works fine so I am out of ideas. If anyone has any suggestions that would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm the only things that come to mind are the usual:
1. Either reboot the MX or wait at least 15 mins after creating the rule before testing
2. Ensure you're not testing using IP addresses on the MX as they will always respond to ping across VLANs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are the L3 VLAN interfaces configured on the firewall. If No then these rules are of no use. Also try by creating a vice-versa rule like from testing to default and from default to testing and then check.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are sure the traffic is being routed by the MX, you can confirm that with a packet capture
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
*If you want to be really sure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rule configuration is good in both screenshots
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are not making progress, try making the blocking rules symmetric. Block 192.168.4.0/24 to 192.168.10.0/24 and 192.168.10.0/24 to 192.168.4.0/24.
The firewall engine on MX is flow-based. Firewall rules only take effect on new flows as they are created. So you could be accessing something, create a firewall rule to block it, but because the existing flow has already been created it will cotntinue to work till it expires.
That's why you sometimes have to wait 10 minutes (or reboot as @Brash mentions).
Also note that firewall rules don't apply to the MX interfaces themselves.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks everyone, using VLANs instead of subnet CIDR did the trick after waiting 20 odd mins. L3 interfaces are setup on the MX and I was pinging devices on the subnets not the L3 interfaces.
